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(5) Protection system for critical memory information. 



@ A computer system, typically a postage meter 
system, has a processor (10), a memory (11, 12, 
13), an address decoder (16), and a window 
circuit (70). The window circuit selectively 
couples the write strobe output (15) of the 
processor with the write strobe input of the 
memory in response to the processor's setting 
and clearing of a latched signal. A counter 
resets the processor if the latched signal is set 
and not cleared within a predetermined time 
period. 
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The invention relates generally to the protection 
of important or critical data in memory devices, and 
relates particularly to protection of such data in post- 
age meters. 

When important information is stored in a com- s 
puter system it is commonplace to provide security 
against loss of some or all of the information, for ex- 
ample by making a backup copy of the information. In 
some systems, however, the information as stored in 
the system is what must be capable of being relied 10 
upon, and the theoretical feasibility of relying on back- 
ups is of tittle or no value. An example of such a sys- 
tem is the electronic postage meter, in which the 
amount of postage available for printing is stored in a 
nonvolatile memory. The user should not be able to 15 
affect the stored postage data in any way other than 
reducing it (by printing postage) or increasing it (by 
authorized resetting activities). Some single stored lo- 
cation must necessarily be relied upon by all parties 
(the customer, the postal service, and the provider of to 
the meter) as the sole determinant of the value of the 
amount of postage available for printing. In electronic 
postage meters that single stored location is the se- 
cure physical housing of the meter itself. Within the 
secure housing one or more items of data in one or 25 
more nonvolatile memories serve to determine the 
amount of postage available for printing. 

Experience with modern-day systems employing 
processors shows that it is advantageous to guard 
against the possibility of a processor running amok. 30 
Generally a processor is expected to execute its stor- 
yed program and it is assumed the stored program con- 
tains no programming errors. Under rare circum- 
stances, however, a processor may commence exe- 
cuting something other than the stored program, such 35 
as data. Under other rare circumstances the proces- 
sor, even though it may be executing the stored pro- 
gram, nonetheless behaves incorrectly due to the in- 
correct contents of a processor register or a memory 
location. The former may occur if, for example, the in- 40 
struct ion pointer or program counter of the processor 
changes a bit due to, say, absorption of a cosmic ray. 
The latter may occur if the contents of the processor 
register or memory location are changed by that or 
other mechanisms. 45 

In pragmatic terms it is not possible to prove the 
correctness of a stored program; testing and debug- 
ging of the program serve at best to raise to a relative- 
ly high level (but not to certainty) the designer's con- 
fidence in the correctness of the code. Nonetheless so 
an unforeseen combination of internal states, or an 
unforeseen set of inputs, has been known to cause a 
program that was thought to be fully debugged to pro- 
ceed erroneously. 

For all these reasons in systems where crucial 55 
data are stored in what is necessarily a single location 
under control of a processor running a stored pro- 
gram, it is highly desirable to provide ways to detect 



a processor running amok and to reduce to a mini- 
mum the likelihood of the processor's harming the 
crucial data. In the particular case of a postage meter, 
it is desirable that the amount of postage available for 
printing, also called the descending register, be recov- 
erable by an authorized technician even if the system 
is completely inoperable from the customer's point of 
view, even after any of a wide range of possible proc- 
essor malfunctions. 

Numerous measures have been attempted to 
protect crucial data in such systems as postage me- 
ters. In a system having an address decoder providing 
selection outputs to the various memory devices in 
the system, it is known to monitor all the selection out- 
puts of the address decoder, and to permit the proc- 
essor's write strobe to reach certain of the memory 
devices only if (a) the address decoder has selected 
one of the certain memory devices, and (b) the ad- 
dress decoder has not selected any memory device 
other than the certain memory devices. 

In another system having an address decoder 
providing selection outputs to the various memory de- 
vices in the system, it is known to monitor the selec- 
tion outputs associated with certain of the memory 
devices, and to take a predetermined action if any of 
the selection outputs is selected for longer than a pre- 
determined interval of time. The predetermined ac- 
tion is to interrupt the write strobe and selection out- 
puts to the certain of the memory devices. 

Although these approaches isolate the certain 
memory devices (typically the devices containing the 
crucial postage data) upon occurrence of some cate- 
gories of malfunction, they do little or nothing to cure 
the malfunction when it is caused by a processor run- 
ning amok. That is, it is important to distinguish the 
problems just mentioned from the problem of physical 
malfunction of a processor or other system compo- 
nent. Simple physical malfunction can be quite rare if 
conservative design standards are followed and if the 
system is used in rated ambient conditions, so that the 
frequency of occurrence of such physical malfunc- 
tions can be low. But many of the above-mentioned 
failure modes are not of a lasting physical nature and, 
if appropriately cleared, need not give rise to perma- 
nent loss of functionality. 

It is also well-known to provide "watchdog" cir- 
cuits in computerized systems. In such a system the 
code executed by the processor includes periodic 
issuance of a watchdog signal which serves to clear 
a watchdog circuit If an excessive time passes with- 
out receipt of the watchdog signal, the watchdog cir- 
cuit takes protective action such as shutting down the 
system or resetting the processor. The latter action 
has the advantage that it may restore normal proces- 
sor function if, for example, the malfunction was due 
to a spurious change in the value of. the instruction 
pointer or program counter. But the watchdog circuit 
only triggers after the passage of a predetermined in- 
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terval, and processor malfunction could conceivably 
alter crucial data during the predetermined interval 
and prior to a watchdog- induced reset. It would be 
most desirable if crucial data could enjoy more com- 
prehensive safeguards against processor malfunc- 
tion, with the safeguards implemented in such a way 
as to permit restoration of proper processor function 
if possible. 

tn accordance with the invention there is provided 
a computer system, typically a postage meter system, 
comprising a processor (CPU) having a write strobe 
output and address outputs and executing a stored 
program, a memory having a selection input and a 
write strobe input, and an address-decoding means 
for providing a selection signal to the selection input 
of the memory in response to associated address out- 
puts from the processor, the computer system includ- 
ing a window means comprising latch means respon- 
sive to a setting signal and a clearing signal from the 
processor for coupling the write strobe output of the 
processor with the write strobe input of the memory 
when the latch means is set by the setting signal, and 
for decoupling the write strobe output of the processor 
from the write strobe input of the memory when the 
latch means is cleared by the clearing signal, and 
counter means responsive to the setting signal and 
the clearing signal from the processor for starting a 
counter upon receipt of the setting signal, for clearing 
the counter upon receipt of the clearing signal, and for 
interrupting the processor in the event of the counter 
reaching a predetermined threshold. 

Figs. 1,2, and 3 are functional block diagrams of 
prior art memory addressing systems; 
Fig. 4 is a functional block diagram of a memory 
addressing system according to the invention, in- 
cluding a window circuit; and 
Fig. 5 is a functional block diagram of the window 
circuit of Fig. 4. 

Like elements in the figures have, where possi- 
ble, been shown with like reference designations. 

In the typical prior art memory addressing system 
of Fig. 1, a processor 10 is capable of writing data to 
memory devices 11,12, and 1 3 by means of a system 
bus 19, of which address bus 14 and write strobe line 
15 are shown. Some of the address lines of address 
bus 14 are provided to a conventional address decod- 
er 16, these so-called "high-order" address lines are 
shown as the high-order portion 17 of the address 
bus. The so-called "low-order" portion 18 of the ad- 
dress bus 14 is provided to memory devices 11, 12, 
and 13, and to other devices in the memory space of 
processor 10. For clarity the data lines and other con- 
trol lines of the system bus 19 are omitted from Fig. 
1 , as are the other devices on the system bus, such 
as keyboard, display, read-only memory and printer. 

In Fig. 1 the write strobe signal from the processor 
10 is provided by a line 15 to the write strobe inputs 
21, 22, 23 of the memory devices 11,12, and 13 re- 



spectively. Memory device selection signals are pro- 
vided by select lines 20 running from the address de- 
coder 16 to "chip enable" inputs of the memory devic- 
es. For example, select lines 31, 32, and 33 provide 

5 respective select signals to corresponding chip en- 
able inputs 41 , 42, and 43 of the memory devices 1 1 , 
12, and 13, respectively. 

A line 34 from address decoder 16 is indicative 
generally that the address decoder selects other 

10 memory devices than those shown explicitly in Fig. 1 . 
Such memory devices typically include ROM (read- 
only memory), and memory-mapped input/output de- 
vices such as a keyboard, a display, a printer, and dis- 
crete input/output latches. 

15 It will be noted that in the system of Fig. 1 the write 

strobe signal is provided to all memory devices, in- 
cluding 11 , 12, and 13, whenever asserted on line 15 
by the processor 10. If the processor 10 were misbe- 
having seriously (as distinguished from the case of a 

20 processor or other system component failing in a 
physical, permanentway) the processor 1 0 could pro- 
vide addresses on the address bus 14 that were 
meaningful to the address decoder 16, enabling one 
or another of memory devices 11, 12, and 13 from 

25 time to time. If the write strobe signal of line 1 5 were 
asserted during one of the periods of enablement, the 
contents of some or all of the memory devices 11,12, 
and 13 could be lost. In the case of a postage meter, 
the descending register contents could be lost, a mat- 

30 ter of great concern for both the postal patron and the 
postal service. 

Fig. 2 shows a known prior art system for enhanc- 
ing the protection of selected memory devices, such 
as devices 12 and 13, here called "crucial" memory 

35 devices. Use of such a system might be prompted by 
the presence, in memory devices 1 2 and 1 3, of impor- 
tant postal data such as descending register data. In 
such a case memory devices 12 and 13 may be non- 
volatile memories. While memory device 11 contin- 
ue ues to receive the write strobe signal of line 15, just 
as in Fig. 1, it will be noted that the crucial memory 
devices 12 and 13 receive a gated signal 40 at respec- 
tive write strobe inputs 22 and 23. 

With further reference to Fig. 2, the selection out- 

45 puts 20 of address decoder 16 are connected to re- 
spective memory devices as in Fig. 1. The system of 
Fig. 2 differs, however, in that the selection outputs 20 
are also provided to multiple-input AND gate 61. The 
selection lines 32 and 33 for the crucial memory de- 

50 vices 12 and 13, respectively, are ORed at a gate 65 
and provided directly to the AND gate 61 . The remain- 
ing selection lines from the address decoder 16 are 
each inverted by inverters 67 and 69, as shown in Fig. 
2, and provided to the AND gate 61. The address de- 

55 coder 16 of Fig. 2 differs from many typical address 
decoders 1 6 such as shown in Fig. 1 in that every pos- 
sible address of the high-order address bus 1 7 is de- 
coded as one or another of the" selection outputs 20. 
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If necessary, a "none-of-the-above" selection output 
is provided to respond to addresses having no intend- 
ed physical counterpart in the system design. The re- 
sult is that the number of selection outputs 20 active 
at any given moment is exactly one, no more and no 5 
fewer. 

It will be appreciated that the output 63 of AND 
gate 61 is high if (a) one of the crucial memory devic- 
es is selected and (b) none of the other memory de- 
vices is selected. Signal 63 is one of two inputs to AND w 
gate 62; the other is the write strobe signal of line 1 5. 
The crucial memory devices, then, receive write 
strobe signals only when one or another of the crucial 
memory devices is currently being selected by the ad- 
dress decoder 16. 15 

In the circumstances of a system suffering no 
mechanical defect, the system of Fig. 2 offers no pro- 
tection of crucial data beyond that of Fig. 1. Assuming, 
for example, that the address decoder 16 and the ad- 
dress bus 14 and 17 are electrically intact, then the 20 
gates 61 and 62 have no effect. The gates 61 and 62 
only serve to block write strobe inputs at 22 and 23 
which would in any event be ignored by memory de- 
vices 12 and 13 because of the lack of asserted se- 
lection signals on lines 32 and 33. Stated differently, 25 
a processor 10 misbehaving seriously in a system of 
Fig. 2 that is electrically sound will be capable of de- 
stroying data in the crucial memory devices simply by 
presenting their addresses on the address bus 14. 
When the processor 10 presents a valid address on 30 
the address bus 14, the corresponding selection line, 
for example line 32, will be asserted and will be re- 
ceived at the chip-enable input 42 of memory device 
12. Likewise, the a strobe signal on line 40 will be 
made available to the write strobe input 22 of memory 35 
device 12. The possible result is loss or damage to the 
contents of memory device 12. 

Fig. 3 shows another prior-art system intended to 
protect data in crucial memory devices, say memory 
devices 12 and 13. In the system of Fig. 3, the proc- 40 
essor 10, address bus 14 and 17, and address decod- 
er 16 are as in Fig. 1. Memory device 11 , which is not 
a crucial memory device, receives the write strobe 
signal of line 15 directly, as in Fig. 1, and receives its 
corresponding selection signal 31 directly, also as in 45 
Fig. 1. 

Crucial memory devices 12 and 13, however, do 
not receive selection signals or the write strobe signal 
directly. Instead, AND gates 51, 52, and 53 are pro- 
vided, blocking the selection signals 32 and 33 and 50 
the write strobe signal of line 15 under circumstances 
which will presently be described. 

In the system of Fig. 3, the selection outputs for 
the crucial memory devices (here, selection signals 
32 and 33) are provided to a NOR gate 54. Most of the 55 
time the processor 10 is not attempting access to the 
crucial memory devices 12 and. 13, and so select sig- 
nals 32 and 33 remain unasserted (here assumed to 



be a low logic level); as a result the output 55 of gate 
54 is high. This clears counter 56. 

At such time as the processor 1 0 attempts to read 
from or write to either of the crucial memory devices 
12 or 13, a corresponding one of the selection lines 
32 or 33 is asserted. Output 55 of gate 54 goes low, 
and counter 56 is able to begin counting. 

Failure modes are possible in which an address 
line 32 or 33 may continue to be asserted for some 
lengthy period of time. For example, a mechanical de- 
fect in the address bus 14 and 17, in the address de- 
coder 16, or in the wiring of lines 31, 32, 33, and 34, 
may give rise to continued selection of a crucial mem- 
ory device 12 or 1 3. A consequence of such a mech- 
anical defect could be a write instruction from the 
processor 10 that is intended for, say, memory device 
11, but which, due to the mechanical malfunction, 
would cause a change in the contents of memory de- 
vices 12 or 13 as well. 

Although as just described the system of Fig. 3 of- , 
fers protection against certain mechanical failures, it 
provides only limited protection against the prospect 
of a processor misbehaving seriously. As will now be 
described, the system of Fig. 3 will fail to detect many 
of the possible ways a processor may misbehave, and 
will be successful at protecting against only a partic- 
ular subset of the possible ways of misbehavior. 

Those skilled in the art will appreciate that mem- 
ory read and memory write instructions carried out on 
the system bus represent only a portion of all the bus 
activities. Prior to the processor's execution of an in- 
struction forming part of the stored program, the proc- 
essor must necessarily have fetched the instruction 
from a memory device on the system bus. From the 
point of view of an observer of the bus, the fetch ac- 
tivity is electrically very similar to a memory read ac- 
tivity, and each includes a step of the processor 10 
providing an address on the system bus. The address 
decoder 16 handles memory read addresses the 
same way it handles fetch addresses. In a system 
functioning properly it is expected that the fetch ad- 
dresses will represent retrieval of data (i.e. instruc- 
tions for execution) only from locations that contain 
data, namely from the memory devices containing the 
stored program. In a system functioning properly it is 
also expected that fetching would never take place 
from locations containing data such as the descend- 
ing register. In systems such as those discussed here- 
in, where memory devices 12 and 13 are assumed to 
contain crucial data, it is expected that no fetching 
would take place from the memory devices 1 2 and 1 3. 
Indeed it would not be out of the ordinary for periods 
of time to pass in which fetches and memory access- 
es (either reading or writing) occurred on the system 
bus more or less in alternation. 

Under the normal steps of a typical stored pro- 
gram (in a system having no mechanical defects) it is 
expected that processor 1 0, shortly after initiating bus 
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access to an address giving rise to the assertion of se- 
lection lines 32 or 33, will proceed to bus access else- 
where in the address space of the processor. Such 
bus access elsewhere would reset the counter 56 and 
avert the decoupling of gates 51, 52, and 53. 

As one example, the conventional fetching of in- 
structions for execution may cause the address de- 
coder to stop asserting selection lines 32 and 33 and 
to assert instead the selection line for some memory 
device containing stored program. This would be the 
usual process in a system lacking any mechanical de- 
fect Thus, fetching (at least in a system that is free of 
mechanical defect) would generally keep the counter 
56 reset more or less continuously, except in the spe- 
cial case of processor malfunction where the instruc- 
tion pointer or program counter happened to point to 
a crucial memory. 

It will be appreciated, then, that in the event of 
persistent assertion of one of the selection lines 32 or 
33 due to a cause* other than a mechanical defect, this 
would be expected to occur only if the processor hap- 
pened to be fetching instructions for execution from 
the selected memory. Thus if the processor misbe- 
haves seriously, and if it happens to be doing so while 
its instruction pointer or program counter is causing 
instructions (actually, data) to be fetched from the cru- 
cial data of one of the memories 12 and 13, the coun- 
ter 56 would block access to the crucial memory de- 
vice after the passage of a preset time interval. 

In the more general case, however, of a proces- 
sor misbehaving seriously with its instruction pointer 
or program counter causing instructions to be fetched 
from a memory device other than the crucial data, the 
counter 56 would be periodically cleared, bringing an 
end to any blocking of access (by gates 51, 52, and 
53) to the crucial memory device. In summary, though 
the system of Fig. 3 protects against some mechani- 
cal failures, it does not comprehensively protect 
against the potential problem of a processor misbe- 
having seriously. 

Turning now to Fig. 4, a block diagram shows a 
system of an embodiment of the invention. Processor 

10 provides address signals to the address bus 14 
and to the address decoder 16, just as in the system 
of Fig. 1. The memory devices 11, 12, 13 all receive 
respective selection signals from the address decod- 
er 16 just as in the system of Fig. 1. Memory device 

11 receives the write strobe signal of line 15 as in the 
system of Fig. 1. Crucial memory devices 12 and 13, 
however, receive inputs at their write strobe inputs 22 
and 23 not from line 15 but from a window circuit 70. 
Window circuit 70 receives requests from the proces- 
sor 1 0 by I/O port transactions or, preferably, by mem- 
ory-mapped l/o transactions. In the latter arrange- 
ment a selection signal 35 from address decoder 16 
is provided to the window circuit 70, and preferably it 
also receives low-order address bits from low-order 
address bus 1 8. 



In Fig. 5, depicting the window circuit, an output 
86 of latch 80 is normally low. The normally-low state 
of line 86 turns off an AND gate 81 so that a write 
strobe signal 72 for the memory 12 is unasserted. 
5 With the line 86 low, the write strobe signal of line 15 
does not have any effect on the output 72 of the win- 
dow circuit 70. For similar reasons an output 73 is also 
unasserted. 

When line 86 and a corresponding line 96 are 

w both low, which is typically most of the time, a pair of 
counters 83, 93 are continuously cleared. Outputs 87 
and 97 of the counters 83, 93 are thus both low, so that 
an OR gate 85 has a low output 71 . The processor 10 
receives the unasserted signal 71 at its reset input 75, 

is so is permitted to continue normal execution of the 
stored program. 

Under control of the stored program the proces- 
sor 1 0 gains write access to crucial memory devices 
12 or 13 as follows. Referring now to Fig. 5, to write 

20 to memory device 12 the processor writes a com- 
mand to the latch 80 representative of a request for 
access. The output 86 of latch 80 goes high, turning 
on the gate 81 and permitting write strobe signals of 
the line 15 to be communicated to the output 72 of the 

25 window circuit, and thence to the write strobe input of 
memory device 12. The high level of line 86 causes 
an inverter 82 to go low, removing the clear input to 
the counter 83. Counter 83 commences counting, and 
if it reaches a preset threshold its output 87 goes high, 

30 turning on OR gate 85. This resets the processor 1 0. 
The preset threshold of counter 83 is changeable by 
commands to a latch 84 from the processor. In the 
normal course of execution of a stored program, typ- 
ically the processor 10 would write a second com- 

35 mand to latch 80 shortly after making its accesses to 
memory device 12, causing the output 86 of latch 80 
to return to its normal, low state. This would reset the 
counter 83 and avert any resetting of the processor 
10. 

40 Similarly, if the processor 10 writes a command 

(called a setting signal) to a latch 90 to turn on the line 
96, write access to the memory device 1 3 will be pos- 
sible, and the clock 93 will begin counting. In the nor- 
mal course of events typically the processor 10 would 

45 fairly promptly write a second command (called a 
clearing signal) to latch 90, cutting off the write strobe 
signal to device 13 and clearing the counter 93. The 
counter 93 is programmable by commands to a latch 
94. As a consequence, each of the counters is individ- 

so ually programmable. This is desired because the 
memories 12, 13 are preferably of different storage 
technologies, for which different writing and access 
times may apply. Thus a memory of a technology with 
a slow access time may be accommodated by pro- 

55 gramming its respective counter for a longer interval, 
while memory of a technology with a fast access time 
may be more closely protected by programming its re- 
spective counter for a shorter interval. 
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In one embodiment it has been found preferable 
to provide additional .logic in the circuit 70 of Fig. 5, so 
that the gate 81 is initially enabled by a flip-flop (not 
shown in Fig. 5) upon power-on, and continues to be 
enabled regardless of the state of latch 80. The addi- 5 
tional logic is arranged so that a subsequent signal 
from the processor sets the flip-flop so that it no lon- 
ger enables gate 81 . From that point onwards the gate 
81 is enabled only by the latch 80. 

It has been found preferable to make the memor- w 
ies of differing technologies; in one embodiment the 
first memory is an EEPROM (electrically erasible pro- 
grammable read only read only memory) and the sec- 
ond memory is a battery- backed- up CMOS RAM 
(complementary metal-oxide semiconductor random 15 
access memory). In the embodiment the first prede- 
termined threshold is about 341 milliseconds, and the 
second predetermined threshold is about 682 milli- 
seconds, all selected for an eight- bit processor run- 
ning at 6 MHz. 20 

Returning now to Fig. 4 t the reset signal 71 may 
be seen which, if asserted, causes a reset to the proc- 
essor 10 at its reset input 75. Generally this could be 
any hardware interrupt to the processor 10, but pre- 
ferably it is the reset input, which may be thought of 25 
as the highest priority hardware interrupt The reset 
input causes program execution from the instruction 
at memory location zero, thus eliminating any possi- 
ble problem with spurious contents of the instruction 
pointer or program counter. The reset input also re- 30 
sets all other internal states of the processor 1 0, thus 
eliminating any possible problem with spurious inter- 
nal states of the processor 10. Where the condition 
giving rise to one or another of the counters 83, 93 
reaching its threshold was a processor misbehaving 35 
seriously, then, there is the possibility the processor 
will execute its stored program correctly thereafter. 

Preferably a latch 74 is provided, external to the 
processor 10 and capable of latching the reset signal 
71. The stored program for processor 10 preferably 40 
has steps that check, upon execution starting at zero, 
to see whether the latch 74 is set If it is not, the as- 
sumption is that the execution from zero was due to 
initial application of power. If latch 74 is set, the as- 
sumption is that execution from zero was due to a re- 45 
set from the window circuit 70, and the processor can 
appropriately note the event Repeated notations of a 
reset due to the window circuit 70 will preferably 
cause the processor 10, under stored program con- 
trol, to annunciate an appropriate warning message so 
to the user. 

It will be appreciated that the system of the inven- 
tion offers numerous benefits over the prior art. As 
mentioned above the system of the invention offers 
more protection against the possibility of a processor 55 
misbehaving seriously. The counter 83 or (93) starts 
counting with the event of the processor 10 sending 
the command to the latch 801(or 90) for access to the 



memory device. This gives the counter a head start 
in detecting problems, as compared with the counter 
56 of Fig. 3, which only starts counting with the occur- 
rence of a selection signal from the address decoder 
1 6. In the system of Fig. 5 the counter 83 or (93) runs 
freely until such time as a command for ceasing ac- 
cess to the memory device is received at the latch 80 
(or 90). In contrast in the system of Fig. 3 the counter 
56 will be cleared every time the processor 10 hap- 
pens to make reference, by memory reading and writ- 
ing or by instruction fetching, to any address outside 
the crucial memories 12, 13. Finally, the protective ac- 
tion taken by the system of Fig. 3 is no more than in- 
terrupting the connection of write strobe and/or selec- 
tion lines. In contrast, the system of Figs. 4 and 5 
takes the step of interrupting (and preferably reset- 
ting) the processor, which will at least sometimes rem- 
edy completely the condition giving rise to the mal- 
function. 

While the above is a description of the invention, 
in its preferred embodiment, various modifications, 
alternate constructions, and equivalents may be em- 
ployed. Therefore, the above description and illustra- 
tion should not be taken as limiting the scope of the 
invention, which is defined by the appended claims. 

Claims 

1 . A computer system comprising: a processor (10) 
having a write strobe output (15) and address out- 
puts operable to execute a stored program; a first 
memory (12) having a selection input and a write 
strobe input (72); address-decoding means (16) 
for providing a selection signal to the selection in- 
put of the first memory in response to associated 
address outputs from the processor; and window 
means (70), the window means comprising: 

first latch means (80) responsive to a first 
setting signal and a first clearing signal from the 
processor arranged to couple the write strobe 
output of the processor with the write strobe input 
of the first memory when the first latch means are 
set by the first setting signal, and for decoupling 
the write strobe output of the processor from the 
write strobe input of the first memory when the 
first latch means is cleared by the first clearing 
signal; and 

first counter means (83) responsive to the 
first setting signal and the first clearing signal 
from the processor for starting a counter upon re- 
ceipt of the first setting signal, for clearing the 
counter upon receipt of the first clearing signal, 
and for interrupting the processor in the event of 
the counter reaching a first predetermined 
threshold. 

2. A computer system as claimed in claim 1 , indud- 
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ing a postage printer, and wherein the first mem- 
ory is arranged -to contain information indicative 
of an amount of postage available for printing. 

3. A computer system as claimed in claim 1 or 2, 5 
wherein the first counter means further comprise 
means (83) responsive to receiving a command 
from the processor indicative of the first threshold 
value for setting the first predetermined threshold 

to the indicated value. 10 

4. A computer system as claimed in claim 1 , 2 or 3, 
wherein the first latch means are a first memory- 
mapped latch (80), the first setting signal com- 
prises a processor write command of a first pre- 15 
determined data value to the first memory-map- 
ped latch, and the first clearing signal comprises 

a processor write command of a second predeter- 
mined data value to the first memory-mapped 
latch. 20 

5. A computer system as claimed in claim 1 , 2, 3 or 
4, wherein the first counter means further com- 
prise a second memory-mapped latch (84), and 

the command from the processor indicative of a 25 
threshold value comprises at least one processor 
write command to the second memory-mapped 
latch. 

6. A computer system as claimed in any of claims 1 30 
to 5, wherein the processor has a reset input (75) 

that resets the processor upon receipt of a reset 
signal, the first counter means being operable to 
interrupt the processor by generating the reset 
signal. 35 

7. A computer system as claimed in any of claims 1 
to 6, further comprising third latch means (74) re- 
sponsive to receipt of the reset signal for storing 
information indicative of occurrence of the reset 40 
signal, the contents of the third latch means being 
available as an input to the processor. 

8. A computer system as claimed in any of claims 1 

to 7, further comprising a second memory (13) 45 
having a selection input and a write strobe input 
(73), the address-decoding means further provid- 
ing a selection signal to the selection input of the 
second memory in response to associated ad- 
dress outputs from the processor, and the window so 
means further comprising : 

second latch means (90) responsive to a 
second setting signal and a second clearing sig- 
nal from the processor arranged to couple the 
write strobe output of the processor with the write 55 
strobe input of the second memory when the sec- 
ond latch means is set by the second setting sig- 
nal, and for decoupling the write strobe output of 



the processor from the write strobe input of the 
second memory when the second latch means is 
cleared by the second clearing signal; and 

second counter means (93) responsive to 
the second setting signal and the second clearing 
signal from the processor for starting a counter 
upon receipt of the second setting signal, for 
clearing the counter upon receipt of the second 
clearing signal, and for interrupting the processor 
in the event of the counter reaching a second pre- 
determined threshold. 

9. A computer system as claimed in claim 8, wherein 
the second counter means further comprise 
means (93) responsive to receiving a command 
from the processor indicative of a threshold value 
for setting the second predetermined threshold to 
the indicated value. 

10. A computer system as claimed in claim 8 or 9 M 
wherein the second latch means are a third mem- 
ory-mapped latch (90), the second setting signal 
comprises a processor write command of a third 
predetermined data value to the third memory- 
mapped latch, and the second clearing signal 
comprises a processor write command of a fourth 
predetermined data value to the third memory- 
mapped latch. 

11. A computer system of claim 8, 9 or 10, wherein 
the second counter means further comprise a 
fourth memory-mapped latch (94), and the com- 
mand from the processor indicative of a threshold 
value comprises at least one processor write 
command to the fourth memory-mapped latch. 

1 2. A computer system as claimed in claim 8, 9, 1 0 or 
11, wherein the second counter means are oper- 
able to interrupt the processor by generating the 
reset signal. 

13. A computer system as claimed in any of claims 8 
to 12, wherein the second predetermined thresh- 
old is set to an interval longer than that of the first 
predetermined threshold. 

1 4. A computer system as claimed in claim 1 3, where- 
in the first memory is an EEPROM, the second 
memory is a battery-backed-up CMOS RAM, the 
first predetermined threshold is no greater than 
about 341 milliseconds, and the second predeter- 
mined threshold is no greater than about 682 mil- 
liseconds. 
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(Q) Protection system for critical memory information. 

(57) A computer system, typically a postage meter 
system, has a processor (10), a memory 
(11,12,13), an address decoder (16), and a win- 
dow circuit (70). The window circuit (70) selec- 
tively couples the write strobe output (15) of the 
processor (10) with the write strobe input 
(22,23) of the memory (12,13) in response to the 
processor's (10) setting and clearing of a latch- 
ed signal. A counter resets the processor (10) if 
the latched signal is set and not cleared within a 
predetermined time period. 
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